FBI Alerts that 2FA is Bypassed by Phishing Attacks

The FBI recently delivered a Private Industry Notification (PIN) in which it pointed to two new hacker tools that can bypass two-factor authentication. A Dark Reading article shared that the PIN noted threat actors are using “well-known techniques including social engineering and man-in-the-middle attacks, facilitated with two new hacker tools:  Mureana (named for a family of eels), which automates phishing attacks, and NecroBrowser, which helps to hijack a legitimate authentication session. Together, the tools can turn a victim’s browser into a credential-stealing zombie that gives no notice to the legitimate user.

We’ve been highlighting several phishing attacks that bypass two-factor authentication (2FA) this year. In fact, back in June we included a link to a Fortune article in our blog posting that had a 40-minute video demonstrating how hackers were using Muraena and NecroBrowser to break through 2FA. Another one we’ve seen included malicious browser extensions that merely wait for the 2FA to complete. For example, a user logs into a ServiceNow Management Portal, once 2FA is complete, the browser extension starts collecting and secretly transmitted data to a C2 server—exposing important business data to bad actors. With bad actors waiting for the user to log-in legitimately before they start scraping data from the browser, 2FA or MFA ceases to be a viable security option to protect organizations.

Technical support scams are another phishing attack we’ve seen successfully bypassing 2FA. Threat actors use tactics to convince users to install a TeamViewer or LogMeIn software that allows them to log in remotely to their victim’s system or network. A fake scan is then performed, and the TeamViewer session is left open and access is sold to others.

Scareware and fake 2FA pages and popups are other ways phishing threat actors are stealing credentials to bypass 2FA. Remember, all a hacker really needs to do to get around 2FA is create a two-step phishing attack – one fake site to capture login credentials, and another to capture the additional 2FA code.

A recent ZDNet article detailed the FBI PIN that shared a few incidents where hackers used phishing techniques to bypass 2FA to steal money from unsuspecting companies and users. You can check out those cited attacks here in the article. One goes back as far as 2016.

2FA does not protect against other types of phishing threats including scareware, social engineering scams, rogue software, phishing exploits, and phishing callbacks (C2s). Meaning? It’s another best practice we recommend but it’s only part of a larger recipe for success. In this recipe, one of the main ingredients has to be comprehensive real-time phishing detection and protection.

SlashNext Real-Time Phishing Threat Intelligence  is powered by SEERTM threat detection technology and detects all six major phishing types. SEER (Session Emulation and Environment Reconnaissance) uses virtual browsers in a purpose-built cloud to dynamically inspect sites with advanced computer vision, OCR, NLP, and active site behavioral analysis. Machine learning enables definitive verdicts—malicious or benign—with exceptional accuracy and near-zero false positives.

SlashNext can help improve peace of mind, by providing a complementary gap analysis, – a great start to understanding your cybersecurity needs.

Blog Subscription

It’s Time to Get Started with SlashNext

Experience the difference with broad phishing threat coverage and automated delivery.